Privacy policy

Foreword

The College collects, uses and discloses personal information in accordance with the ten fair information principles of the Canadian Standards Association Model for the Protection of Personal Information¹ (the “CSA Model Code”). This Privacy Policy outlines the standards and guidelines by which the College adheres with respect to the personal information of its members.

This Privacy Policy does not apply to the personal information of employees of the College.

What is personal information?

Personal information is any information about an identifiable individual, or information that when combined with other, readily available information, may identify an individual (including opinions about an individual). Personal information that the College collects, uses or discloses may include member names, addresses, telephone numbers, e-mail addresses, credit card information, or other contact information and personally identifiable data, date of birth, social insurance number, age, marital and financial status, race, national or ethnic origin, and religion. 

What is personal health information?

Personal health information for the purpose of this policy, is identifying information about a patient or a physician, and includes demographic information (name, address, date of birth), health card number and information related to a patient or physician’s physical and mental health care. Personal health information can be documented and undocumented and continues to be protected after a patient or physician is deceased. Information that identifies a person who provided healthcare to a patient is that patient’s personal health information.

In this policy, any reference to personal information includes personal health information. 

The ten principles of the CSA Model Code as applied by the College

1. Accountability

The College is accountable for all personal information under its control, including information which it may transfer to a third party. The College collects, uses and discloses information in accordance with its obligations under the Nova Scotia Medical Act ³ and the CSA Model Code. College staff are trained in standards and guidelines with respect to privacy and confidentiality.

To fulfill this purpose, the College has designated an individual as a Privacy Officer who is responsible for everyday operation and control of personal information as well as the College’s compliance with this Policy. Contact information of our Privacy Officer is included below.

2. Identifying purposes

The College is required, pursuant to the Nova Scotia Medical Act³, to regulate the practice of medicine in the province with due regard to the public interest. The College uses personal information of its members (as well as of patients and complainants), to carry out this function. The purposes for which the College collects, uses and discloses personal information include:

• membership application
• regulatory purposes
• registration and licensing
• credentials verification and assessment
• incorporation membership
• record of membership and licensees / member status
• administration of the Physician Health Program
• assisting other entities, including the Nova Scotia Health Authority and the IWK, or any other entity through which physicians in Nova Scotia may operate, to address issues of physician health and wellness
• peer review
• complaints and investigations (policies and practices related to confidentiality of the complainant and the physician as set out in the College’s publication policies)
• assessment of competence and/or performance
• communication with members
• publication distribution
• establishment and maintenance of physician listings to publish on the College website and made available to inquirers
• administration and facilitation of members’ affiliations with the Canadian Medical Association, Dalhousie University, relevant Nova Scotia government departments and health authorities, the Medical Services Insurance Program (MSI), Doctors Nova Scotia, the Medical Identification Number for Canada (MINC) and other medical regulatory authorities
• demographics: research, analysis and planning
• correspondence information and documents with third parties as required by our objectives and to interchange information with regulatory bodies worldwide
• compilation of statistics
• payment of annual licencing fees
• surveys

If the College wishes to use personal information for a purpose not identified, the new purpose will be identified and the College will seek consent of the individual prior to use, unless required or permitted by law.

3. Consent

a) Members’ personal information

The College is dedicated to making members aware of the purposes for which their personal information is collected, the use of the information and reasons for disclosure. Unless required or permitted by the Medical Act or other applicable law, the College obtains consent from members for the collection, use, and disclosure of personal information. In certain circumstances, the consent of the individual can be obtained after the collection of the information, but before use and disclosure.

The College will not, as a condition of the supply of services, require that an individual consent to the collection, use, or disclosure of information beyond what is required for legitimate and communicated purposes. Some information related to licensing, competence, and professional development must be provided as a condition of obtaining and maintaining one’s professional status.

There may be circumstances where consent may be implied by the circumstances. In such cases, the purpose for the collection and use of personal information must be apparent and the College may only use the personal information for the apparent purpose. In such a case, the College will not use that information for any other purpose.

The law provides certain exceptions to the usual requirement to obtain an individual’s consent. For example, an organization may collect and use personal information in circumstances where the collection and/or use of such information is clearly in the interests of the individual and consent cannot be obtained in a timely way. Similarly, personal information may be collected and used without the consent of the individual if the information is reasonably required to investigate a breach of an agreement, a violation of the law or investigations related to professional discipline and there is reason to believe that obtaining consent may compromise the availability or accuracy of such information.

Members can withdraw consent anytime for the retention and use of personal information, but only to the extent that such consent withdrawal does not affect the ability of the College to carry out its statutory functions. The College will inform the member of the implications of such withdrawal.

b) Personal health information

Regulatory bodies like the College are not custodians of personal health information under the Personal Health Information Act(PHIA). This means that even though the College may collect and use personal health information about individuals, it is not governed by PHIA, as it does not collect personal health information for the purpose of health care or the planning and management of the health system.² The College does not need to obtain consent from patients for the collection, use, and disclosure of their personal information relating to an investigation of a complaint. Where a complainant is not the patient (for example, in a situation where a complainant is a family member of a patient), the College will obtain consent of the patient to share relevant records with the complainant.

Additionally, in cases where a complainant is not the guardian or authorized decision maker of the patient, the College will obtain consent from the patient or executor of their estate.

4. Limiting collection

The College collects personal information and personal health information only to the extent necessary for the purposes identified. Personal information is collected in a fair and lawful manner.

5. Limiting use, disclosure and retention

a) Members’ personal information

The College does not sell or trade member personal information to third parties. Personal information is only used or disclosed for the purpose for which it was collected with the consent of the member, or as required or permitted by law.

The personal information of the member is retained as long as it is considered necessary according to the College’s Document Retention policy.

b) Patients’ personal health information

As per Section 45 of the Personal Health Information Act⁶ an (organization) that is not a custodian is authorized to collect the personal health information that a custodian may disclose to it, but that (organization) does not become a custodian merely by virtue of its collection of the personal health information that the custodian has disclosed to it.

The College will not disclose personal health information for any purpose other than the purpose for which it was authorized to disclose the information. In addition, the College will not use or disclose more of the information than is reasonably necessary to meet the purpose of the use or disclosure, unless the disclosure is required by law.

6. Accuracy

The College is dedicated to maintaining personal information in a form that is accurate, complete and current as is necessary for the fulfillment of the College’s purposes. Members are encouraged to contact the College and update any changes in their personal information. The College will correct or amend personal information that is shown to be incomplete or inaccurate.

7. Safeguards

The College takes reasonable steps to protect personal information against loss, unauthorized access, use, disclosure and alteration, no matter what form the information is in (for example, electronic version or physical copies).

The safeguards used by the College include:

• physical measures: locked filing cabinets, key-pads or locks to restricted areas, alarm system in the office
• organizational measures: employees’ training, confidentiality agreements, limited access on “need to know” basis
• technological measures: use of security software, password, firewall and encryption
• destruction measures: records and documents of the members are destroyed in a confidential manner (e.g., shredding of paper records, wiped clean/deleting of discs and physical destruction of hard drives)
• third party obligations: contractual privacy agreement with third parties to ensure the protection of your personal information; third parties enter into a legal contract and confidentiality agreement before the College uses their services

The College has in place security processes in place regarding data collection and removal of data from its website. Data collected by the College regarding a complainant is manually deleted from the website.

8. Openness

The College is open about its policies and procedures and will provide members and other interested parties with specific information relating to the maintenance of personal information. These policies are available by contacting the College’s Privacy Officer.

9. Individual access

Members may contact the Privacy Officer at any time to discuss access to their own personal information. Upon written request, access will be provided, except as outlined below. A small fee may be applied to cover the cost of administration. Where legal or regulatory requirements prevent allowing access to personal information, the College will provide you with the reasons for denial of access.

10. Challenging compliance

The College’s Privacy Officer is responsible for overseeing compliance with this Privacy Policy. Any questions can be directed to the Privacy Officer who will respond to any concerns.

We will investigate all complaints and will take appropriate action to resolve the issue. We also welcome your comments and suggestions regarding this Privacy Policy.

Website visitors

If you visit our website (https://cpsns.ns.ca/) certain information is collected from you automatically, as described below.

1. IP address

Web servers automatically collect certain information when you visit a website, including your Internet Protocol (IP) address. IP addresses are unique numbers Internet Service Providers (ISP) assign to all devices accessing the Internet. The IP address, on its own, may not identify you as an individual. However, in certain circumstances, such as with the co-operation of an ISP for example, it can identify an individual. For this reason, the College considers IP address as personal information, particularly when combined with other data automatically collected such as the page or pages visited, date and time of the visit, etc.

2. Cookies

The College analyzes website traffic data and uses cookies to improve our services. A “cookie” is a piece of text that the College’s web server can store on your computer. The cookies the College uses log your progress through the site and record how you accessed the site. The information collected by the College is limited and cannot identify specific users. Any information collected is only used to improve our website and the user experience. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some parts of our website.

3. Web analytics

Web analytics is the collection, analysis, measurement, and reporting of data about web traffic and visits for purposes of understanding and optimizing web usage. 

When your computer requests a College web page, we collect the following types of information for web analytics using digital markers:

• the originating IP address
• the date and time of the request
• the type of browser used
• the page(s) visited

Information we collect and use for the purpose of web analytics is in accordance with our mandate under the Regulated Health Professionals Act. We may use such data to improve the College’s website as well as for communications and information technology statistical purposes, audit, evaluation, research, planning and reporting.

We do not disclose this information to any external third-party service providers.

4. Links to other websites

Our website may include links to websites managed by other organizations. The College of Physicians and Surgeons of Nova Scotia is not responsible for the protection of any information you give to these websites or the content on these websites. Please ensure you read the Privacy Policy of any other website you link to, to understand how your personal information is collected, used, and disclosed on such sites.

For more information on the College’s Privacy Policy:

Ms. Tricia Crease, Privacy Officer 
College of Physicians and Surgeons of Nova Scotia 
400 – 175 Western Parkway Bedford, NS B4B 0V1 
Phone: (902) 421-2200, Fax: (902) 422-5035
tcrease@cpsns.ns.ca

Revision to the Privacy Policy

This version of the Privacy Policy is effective October 7, 2024.

Due to changes in technology and legal requirements, the College reserves the right to revise its Privacy Policy from time to time. Any revised version of this Privacy Policy will be posted on the College website.

Resources

1. Canadian Standard Association Model Code for the Protection of Personal Health Information
2. Toolkit for Custodians: A Guide to the Personal Health Information Act
3. Nova Scotia Medical Act 2011
4. Personal Information Protection and Electronic Documents Act 
5. E-health Privacy and Security Guide, Doctors Nova Scotia January 2021
6. Personal Health Information Act (PHIA 2010)